TMCnet Feature

NY Times Site Remains Down After Syrian Electronic Army Hacking

The New York Times website continued to be inaccessible to readers early Wednesday, the day after online attacks. A group calling itself the Syrian Electronic Army (SEA) took responsibility.

The SEA is made up of hackers sympathetic to the Syrian government, and the incident took place as the United States was making final plans to bomb strategic sites in Syria.

The newspaper’s website first saw interruptions Tuesday afternoon. The attack was believed to be directed on the newspaper’s domain name registrar, Melbourne IT.

What was significant about this attack, too, is that the hackers used the correct user name and password to gain access to Melbourne IT, news reports said.

"They came in through the front door," Theo Hnarakis, CEO of Melbourne IT, told Australian Broadcasting Company. "If you've got a valid user name and password ... the assumption from our systems is that you are the authorized owner and user of that domain name."

After the attack, Melbourne IT was making some changes and trying to trace the identity of the hackers to provide information to law enforcement officers, according to news reports.

Given that it involved the domain name register, the attack was seen as a more serious security breach than other recent attacks against U.S. media by the SEA.

"It's sort of like breaking into the local savings and loan versus breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of websites," according to a statement from The New York Times.

In addition, the SEA also claims it had hacked Internet registries related to Twitter (News - Alert) and the U.K. version of the Huffington Post, news reports said. The United Kingdom may join in a military action against Syria with the United States.

However, Twitter and Huffington Post domains had some extra protection against the hackers thanks to added security, Melbourne IT said, according to a report from The Associated Press (News - Alert).

In its own statement on its status page, Twitter said, “It appears DNS [domain name system] records for various organizations were modified, including one of Twitter's domains used for image serving, Twimg.com. Viewing of images and photos was sporadically impacted…No Twitter user information was affected by this incident.”

In addition, Renesys (News - Alert) Corp was able to identify the IP addresses as being the ones belonging to the SEA's website sea.sy, The AP reported. It has been hosted in Russia.

The attacks were annoying for readers and others needing access to the sites, but larger concerns may arise if hackers could gain access to key U.S. government or infrastructure sites. For instance, no matter how difficult it may be to achieve, the Pentagon’s non-public sites would be a prime target for the SEA or similar groups – especially given the current military plans to attack Syria.

Meanwhile, word about Tuesday’s attack first came mid-afternoon (ET). The Times announced on Facebook (News - Alert) about 5 p.m., "Many users are having difficulty accessing The New York Times online. We are working to fix the problem. Our initial assessment is the outage is most likely the result of a malicious external attack." Newspaper employees were warned, too, to hold off sending any key e-mails.

Several security analysts said the attack was caused by the SEA which has been a supporter of Syrian President Bashar al-Assad. The Syrian government is being blamed for a gas attack against civilians in that country – though the government denies the claim.

Also, many visitors got messages which said "Hacked by SEA" when they reached The New York Times website.

This is far from the first hacking attack by the SEA on U.S. news organizations. It has targeted Twitter feeds of The AP, The Washington Post, and CNN. The Times' website also experienced an outage on Aug. 14, but that was not believed to have been caused by hacking, The Times said in a statement.

The most recent attack method is being described as "DNS hijacking," Robert Masse, president of Swift (News - Alert) Identity, told The AP. In this way, hackers are able to impact domain name servers.

"Companies spend a lot of time, money, resources and defending their servers, but they forget about auxiliary infrastructure that is integrally connected to their networks, like DNS," Masse said.

The recent incidents also show how important it is for an organization to be aware of security practices at third parties.

Tony Smith, a spokesman for Melbourne IT, told the Australian Broadcasting Company, credentials used for logging into the system “from one of its resellers had been used improperly.”

In response, Melbourne IT put into place the “correct domain name settings, changed the password on the compromised account, and locked the records to prevent further alterations,” the report adds.

"We will also review additional layers of security that we can add to our reseller accounts," Smith said.

"As this incident illustrates, any time you integrate third-party code into your site, it presents a new attack vector for hackers. You must not only ensure your own code is secure, but you must also rely upon third parties' security practices," Aaron Titus, an attorney at Identity Finder, told The AP.